<?php
/**
 * Klasse für Rechteverwaltung
 */
class Model_Acl extends Zend_Acl {
	
	public function __construct() {
		//Add a new role called "guest"
		$this->addRole(new Zend_Acl_Role('guest'));		 
		//Add a role called client, which inherits from guest
		$this->addRole(new Zend_Acl_Role(Model_Role::ROLE_CLIENT), 'guest');
		//Add a role: developer
		$this->addRole(new Zend_Acl_Role(Model_Role::ROLE_DEVELOPER), Model_Role::ROLE_CLIENT);
		//Add a role: manager
		$this->addRole(new Zend_Acl_Role(Model_Role::ROLE_MANAGER), Model_Role::ROLE_DEVELOPER);
		//Add a role: admin
		$this->addRole(new Zend_Acl_Role(Model_Role::ROLE_ADMIN), Model_Role::ROLE_MANAGER);
		 
		//Add resources
		$this->add(new Zend_Acl_Resource('auth'));
		$this->add(new Zend_Acl_Resource('index'));		
		$this->add(new Zend_Acl_Resource('error'));
		$this->add(new Zend_Acl_Resource('invoices'));
		$this->add(new Zend_Acl_Resource('tickets'));
		$this->add(new Zend_Acl_Resource('projects'));
		$this->add(new Zend_Acl_Resource('users'));
		$this->add(new Zend_Acl_Resource('account'));
		 
		//Add a resource called news, which inherits page
		//$this->add(new Zend_Acl_Resource('news'), 'page');

		//guests may access auth
		$this->allow('guest', 'auth');
		//clients may access error
		$this->allow(Model_Role::ROLE_CLIENT, 'error');
		//clients may access start
		$this->allow(Model_Role::ROLE_CLIENT, 'index');
		//clients may access tickets
		$this->allow(Model_Role::ROLE_CLIENT, 'tickets');
		//clients may access projects
		$this->allow(Model_Role::ROLE_CLIENT, 'projects');
		//clients may access account
		$this->allow(Model_Role::ROLE_CLIENT, 'account');
		//...
		$this->allow(Model_Role::ROLE_MANAGER, 'users');
		//...
		$this->allow(Model_Role::ROLE_MANAGER, 'invoices');
		//clients may NOT edit projects
		$this->deny(Model_Role::ROLE_CLIENT, 'projects', 'edit');
		//clients may NOT delete tickets
		$this->deny(Model_Role::ROLE_CLIENT, 'tickets', 'delete');
		//managers may edit projects
		$this->allow(Model_Role::ROLE_MANAGER, 'projects', 'edit');
		//managers may delete projects
		$this->allow(Model_Role::ROLE_MANAGER, 'tickets', 'delete');
	}
	
};

?>